Use the Comparisons Function to Find Unwanted Security Discrepancies

by Steve Biskie, Managing Director, High Water Advisors

March 28, 2013

An often overlooked function in transaction code SUIM allows you to quickly discover security problems, without any knowledge of authorization objects. It prompts you to ask relevant questions about user and role differences.

The standard SUIM security reporting transaction contains a useful but often overlooked function that you can use to quickly highlight potential security discrepancies. This function – Comparisons – can provide tremendous benefit to auditors, compliance professionals, or anyone else who needs to quickly get a feel for user security (including security administrators who may not have been involved in the original design). Using it you can identify and then investigate any glaring problems. The nice thing about this function is that it doesn’t require any knowledge of authorization objects if you use it in the way I describe (although it does provide relevant field-level details within authorization objects for those who need it).

Because this technique uses standard SAP functionality, it can be used by any organization running SAP ERP. However, I would not recommend this for organizations using SAP Access Control; there are much better ways to quickly identify potential problems with that application. For those who are not using SAP Access Control, however, this trick allows you to quickly determine if you have user security issues. It potentially even helps build the case towards moving to a more robust security management application such as SAP Access Control.

For the purposes of this tip, I approach the use of Comparisons as an audit and compliance professional. I’m interested in seeing, in a very short period of time, whether I have any significant security issues (and I don’t intend to find every granular problem). Because of that, I’m going to intentionally choose to look for several problems that frequently occur in organizations, specifically:

Scenario 1: Users who have transferred to a new position but continue to retain privileges associated with their previous positions

Scenario 2: Users who have remained in the same position for a long time, and accumulated unneeded privileges over time

Scenario 3: Roles that are similar that have not been consistently maintained over time (either because of decentralized maintenance or broken change control processes)

Would you like to see this full item?

Steve Biskie

Steve Biskie has been working with SAP ERP systems for more than two decades, and is considered an international expert in SAP audit issues, risk management, and GRC. He was an expert reviewer for the book Security, Audit, and Control Features: SAP ERP (3rd Edition), and the author of Surviving an SAP Audit.

Steve will be presenting at the upcoming SAPinsider GRC 2017 conference, June 14-16, 2017, in Amsterdam. For information on the event, click here.